Environment
iManager 2.7.X
OES 2015
OES 11
Situation
When attempting to install plugins from Novell Downloads (nu.novell.com), plugin install never progresses or completes.
/var/opt/novell/tomcat6/logs/catalina.out file shows the following error:
NetIQ JClient 2.08.0503-2.8.503. (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved.
DownloadAndInstall..124 com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
cause is:
java.security.cert.CertPathValidatorException:
The certificate issued by CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
Resolution
Download the certificate specified in the catalina.out file from https://www.digicert.com/digicert-root-certificates.htm
For example:
DigiCert Global Root CA
DigiCert High Assurance EV Root CA
Copy the downloaded certificate to the OES server. For this example, the certificate was saved as: DigiCertHighAssuranceEVRootCA.crt
Install the certificate into the cacerts file used by iManager using the following command:
When prompted: Trust this certificate? [no]: Type: yes then press enter
When prompted: Enter keystore password: Type: changeit
Restart iManager: rcnovell-tomcat6 restart
Cause
The root CA for the DigiCert certificate used by nu.novell.com has not been imported into the certificate store file </var/opt/novell/tomcat6/conf/cacerts> on OES.
Importing the certificate will allow java to trust the certificate used by nu.novell.com and download the npms for installation.
Additional Information
Note: Adding the DigiCert High Assurance EV Root CA certificate will cause all certificates issued by this CA to be trusted.